The 1Password update 3.5.4, released on January 28th, 2011, changelogs included the following note:
>> Updated thumbnail downloader to turn off default cookie operations and prevent fetching previews from sites with bad certificates.
This may not seem like a big thing, but it should be to 1Password users. Prior to version 3.5.4, if a man in the middle attacker posed as a secure site that 1Password had a stored login to, the lack of certificate validation would allow cookies stored by Safari, and other applications like 1Password Agent that use the default cookie store to be leaked to attackers.
Your web browser normally warns you before connecting to a site with a bad SSL certificate, because there is danger in disclosing GET request arguments and Cookies to impostor websites. However, 1Password's agent did not fail as it should when encountering a bad certificate, even if the site had a valid certificate when you saved your login. When 1Password Agent made requests, it did so with the default cookie store. This means that session cookies and other sensitive cookies could be leaked to any site that posed as a secure site you login to whenever 1Password Agent attempted to store or update a thumbnail image of the site.
This issue was addressed in the 3.5.4 release of 1Password by no longer allowing 1Password Agent to connect to sites with bad certificates.
The Agile Web Solutions team fixed this bug very quickly after I notified them of the issue and should be commended for their quick response. They responded to this issue within 1 hour (wow!), and had a fix available to the public within 2 weeks. Given that I reported this over new years, thats incredibly impressive. Good job guys!
1Password users should update to the latest version so they are no longer vulnerable to this attack.
Nice catch! Did you do sweep of many apps testing this or was this a one off?
ReplyDeleteThanks! I wouldn't call it a big sweep, but I have tested a number of apps I use on a regular basis. 1Password is the password manager I use, and I really like the software. I targeted this issue as part of the testing I felt I needed to do to feel comfortable trusting 1Password. The Agile team is really great to report bugs to, by the way. Thats why despite occasionally finding a bug like this, I am a huge fan of their software.
ReplyDeleteAs a side note, non MITM bugs are going to show up sooner or later, but I've been waiting on vendors to fix them.